GDPR compliance



  • Is anyone dealing with this?
    I have done quick preliminary analysis and the result is that I would need to have ability to set log retention period for captive portal logs.


  • Galactic Empire

    There's nothing to deal with.

    Set up a syslog server and store the data there.



  • @NogBadTheBad:

    There's nothing to deal with.

    Set up a syslog server and store the data there.

    But data (logs) remains also inside pfSense because remote syslogging means take a log and copy it to remote machine.



  • @mdes:

    But data (logs) remains also inside pfSense because remote syslogging means take a log and copy it to remote machine.

    Have a look at these logs first  ;)

    Btw : pfSense uses circular logs that have a fixed size. This means that ones they are full, old information is overwritten. Which implies that old information will be is destroyed in a nearby future. They are auto-cleaning !

    As long as you, as an an admin, are not logging all kind of information like user traffic with the help of packages like, for example,  squid , you have nothing to do with this "private act".
    IP addresses, and even MAC addresses, are not considered as "private info" **.
    And even if you do, thing about destroying the info - and never use the info. Doing so, and you'll be fine for more then 99 %.
    Facebook and Google will take care of the latter 1 % soon.

    GDPR compliance, or not, it's true that many countries ask to log (local - so worth-less) IP addresses and MAC addresses when you offer an Internet access (with the help of the captive portal).

    ** and if they were, well, the guy who pretends so should not be using the "Internet" anymore as a public communication channel.



  • @mdes

    IP addresses are regarded as PII under GDPR, see ECJ ruling. Explanation here:

    https://www.enterprisetimes.co.uk/2016/10/20/ecj-rules-ip-address-is-pii/

    You'll need to have a "right to be forgotten" process for that log data plus you probably will have to declare the logs existence in your data policies.



  • @mdes

    So you're probably aware of the following but it does cover what i understand to be the most relevant aspects of GDPR in relation to a pfSense device.

    https://www.firewallhardware.it/en/gdpr-pfsense-opnsense/

    You'll know what you are using the device for, so some aspects will affect you more than others.